It's All About Trust
Periodically, we ask the senior leadership of the global security community to give us feedback on their top priorities in the command, control, communications, computers, intelligence and information technology domains. In the past couple of years, they have been fairly consistent in saying that their top priority is interagency and coalition information sharing.
As a result, AFCEA and its members have focused a good deal of attention on these issues. Not surprisingly, we have found that there are a number of crucial factors to address that can be grouped into the categories of technology, security and governance. But, in the end, we have found that it comes down to trust.
Think about it. Within a single enterprise, we know the players and their attributes and have access to that data. It is when we cross domain boundaries that the issues begin. We don’t have universal directories, we have no easy means of verifying identity, and we have no access to attribute information. We have no basis for trust.
To share information effectively across domain boundaries calls for three fundamental requirements: the technical means to move the information; the will to share it, which is not as simple as it sounds—it is not human nature to share easily; and the means to establish trust.
The first requirement is, in my opinion, the easiest of the three. Given maturing standards and Web 2.0 technologies, the technical means to share information—even securely—is there. Check with your kids if you don’t believe me—they share information all the time. I will admit that the International Traffic in Arms Regulations (ITAR) can get in the way, but that is the subject of another commentary—maybe next month’s column.
In the second requirement, I believe that senior leadership does possess the will to share information, but pushing that concept down through the ranks is a different matter. In the near term, it is very likely that we can create a mandate to share. This is a matter of policy, training and incentives. As long as it is applied universally within agencies or a coalition, it can be made to work.
The third requirement—the trust piece—is the highest hurdle in my view. To make information sharing work effectively across domains requires agreement on a common set of business rules, which include the verification of identity and the use of attributes to establish a role basis for access. A mechanism also is needed to administer these rules. Sensitivities about the provision and storage of data abound.
A common way to address this problem is to establish a federated identity and attribute service. The parties need to agree on the federation and the business rules, which is not a trivial task, but the data owners retain their data, using a trusted data switch—often referred to as a trust broker—to establish the connection between a transaction and the source data.
We recently conducted a workshop for the NATO Consultation, Command and Control Agency (NC3A) to address this set of issues for NATO; it was a good and productive session. We identified a number of focus areas that need to be addressed for a NATO implementation of identity and attribute services in the organization’s federated network environment.
Work remains to be done with NATO members, but they are engaged in the dialogue, and that is the first essential step. What struck me during this workshop was the commonality of issues among all who are working to address this problem. It occurred to me that everyone—government, industry and academia—must work together to make this capability effective and universal.
All of this must start with an agreement on policy that clearly establishes that we will share information. Then we need agreement that we will federate identity and attribute services. It doesn’t matter whether government or industry provides these services; it only matters that we agree on the mechanism for federation and the business rules that will be used to determine access.
Finally, we must agree that we will trust the outcome of the application of those rules. In the end, none of this will work without trust. We must leverage the coordination bodies we have: interagency councils within governments and coalitions among governments. Organizations such as AFCEA can serve as catalysts to encourage this dialogue.